Archive

Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

Kovter’s digitally signed malvertising campaign

Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

Using this technique, we’ve seen malicious attackers use varied techniques such as:

Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.

Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.

Loading an exploit kit to attack your browser or browser plugin.

Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

Figure 1 – Kovter’s fake Adobe update malvertising infection chain

For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:

aefoopennypinchingpolly.com

ahcakmbafocus.org

ahxuluthscsa.org

caivelitemind.com

ierietelio.org

paiyafototips.com

rielikumpara.org

siipuneedledoctor.com

ziejaweleda.org

The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

Admin Email: monty.ratliff@yandex.com

As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:

Some example FlashPlayer.exe downloaded files for reference are as follows:

Sha1

Md5

eafe025671e6264f603868699126d4636f6636c7

c26b064b826f4c1aa6711b7698c58fc0

0686c48fd59a899dfa9cbe181f8c52cbe8de90f0

e0a31d6b58017428dd8c907b14ea334e

62690c0a5a9946f91855a476b7d92447e299c89a

18ccf307730767c4620ae960555b9237

7a678fa58e310749362a432db9ff82aebfb6de62

f6406681e0652e33562d013a8c5329b9

872d157c9c844636dda2f33be83540354e04f709

42b1b775945a4f21f6105df8e9c698c2

37a8ad4a51b6f7b418c17abd8de9fc089a23125d

3767f655a462c4bf13ae83c5f7656af4

cfebfe6d4065dd14493abeb0ae6508a6d874d809

a14a38ebe3856766d55c1af35fb1681f

c48b21c854d6743c9ebe919bf1271cade9613890

321f9b3717655e1886305f4ca01129ad

4df10be4b12f3c7501184097abee681a1045f2ed

0966f977c6d319e838be9b2ceb689fbe

457f0f7fe85fb97841d748af04166f2a3e752efe

7214015e37750f3ee65d5054a5d1ff8a

These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.

MSRT coverage

As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.

Kovter Installation

On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1

Md5: 74dccbc97e6bffbf05ee269adeaac7f8

When Kovter is installed, the malware drops its main payload as data in a registry key (HKCUsoftware<random_chars> or HKLMsoftware<random_chars>). For example, we have seen it drop the payload into the following registry keys:

hklmsoftwareoziyns8

hklmsoftware2pxhqtn

hkcusoftwarempcjbe00f

hkcusoftwarefxzozieg

Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as: